-file-..-2f..-2f..-2f..-2fhome-2f-2a-2f.aws-2fcredentials -

At first encounter, the string -file-..-2F..-2F..-2F..-2Fhome-2F-2A-2F.aws-2Fcredentials looks like gibberish. However, to a security professional or a seasoned developer, it immediately raises red flags. This is an obfuscated path traversal payload targeting one of the most sensitive files on a Unix-based system: the AWS credentials file.

In this article, we will:

| Category | Severity | |----------|----------| | Credential Theft | Critical | | Cloud Account Compromise | Critical | | Lateral Movement | High | | Data Exfiltration | High | -file-..-2F..-2F..-2F..-2Fhome-2F-2A-2F.aws-2Fcredentials

Imagine a web application with a “download log file” feature:
https://victim.com/download?file=app.log

The backend code:

filename = request.args.get('file')
with open('/var/log/app/' + filename, 'r') as f:
    return f.read()

An attacker sends:

https://victim.com/download?file=../../../../home/ec2-user/.aws/credentials

The server opens /var/log/app/../../../../home/ec2-user/.aws/credentials → /home/ec2-user/.aws/credentials → credentials are returned. At first encounter, the string -file-

If the app uses the obfuscated string ..-2F..-2F..-2Fhome-2F-2A-2F.aws-2Fcredentials, it may be an attempt to bypass:

But after normalizing, it still resolves to the credentials file. | Category | Severity | |----------|----------| | Credential

BASE_DIR = '/var/app/data'
full_path = os.path.realpath(os.path.join(BASE_DIR, user_file))
if not full_path.startswith(BASE_DIR):
    raise SecurityError("Path traversal detected")